FNO Port Isolation

J

Jason-ZA

Expert Member
Joined
Sep 23, 2019
Messages
1,293
Reaction score
823
Location
Port Elizabeth
So I find this to be an interesting topic that randomly comes up, but haven't seen a dedicated thread about this.

Some fibre networks {won't mention names} don't isolate customers from each other which I find a bit worrying, which means someone could setup a rogue DHCP server or create a broadcast storm etc.

So my question is, what are the main things we can do to protect ourselves in the meantime until they decide its important enough to look into?

Any tips?
eg) MAC filtering our ISP's access routers MAC addresses in our firewalls (would this even help?)

I am currently using a mikrotik.

@r00igev@@r @websquadza @TheRoDent - Tagging some technical networking guys.
 
Last edited:
Well, for us, we use PPPoE on L2 networks, which is our choice. Because it means we can authenticate a client.

Anyone can start a rogue DHCP server. DHCP has zero authentication. Most FNO's that hand their traffic to us, don't even consider broadcast storms, or the means to authenticate a valid client.

A client either has valid details, or they dont, when you use PPPoE.

DHCP doesn't really allow for this, unless you consider a routers' "MAC address" to be a "password". And even then, rogue DHCP servers can be set up.

We prefer PPPoE, because it's a "contract" between us, the FNO, and our client. Even if it may require some technical support around PPPoE.

Some ISP's use DHCP and basic IP networking because it's "free". Meaning the ISP doesn't require a "BRAS", but it does depend on the FNO. They can just forward a packet.

Running a BRAS is not that hard, and it provides the ISP, and the client a benefit.

PPP has solved 99% of issues, yet people call it a "legacy" technology.

Just because it's "legacy" doesn't mean it's not working.

Our preference will always be some means of termination that is not DHCP, and that is authenticated....

For exactly the reasons you have mentioned.
 
Last edited:
It is not only the rougue dhcp server but the id10t who connects the LAN port to the WAN port. Its also the dodgy bloke like me who runs wireshark or ettercap.
Another thing that you can do is buy a gig service, create a secondary private network and connect you neighbours who have connected at 25mbs at a higher speed.
Best thing you can do is filter comms to the default gateway only and assume you never going to speak to another person on the same FNO service.
But yes PPPoE is better due to its security benefits and its stability, It has a better clamping ability with the occansional problem being mtu sizes which a decent router should be able to resolve. The UBNT stuff suck at this.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X